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IJPNP - Multiple Remote Windows XP/ME/98 Vulnerabilities 

Release Date: 

December 20, 2001 

Severity: 
High 

Vendor: 

Microsoft 

Systems Affected: 

Microsoft Windows XP (All default systems) 
Microsoft Windows 98 (Certain configurations) 
Microsoft Windows 98SE (Certain configurations) 
Microsoft Windows ME (Certain configurations) 

Overview: 

Windows XP ships by default with a UFNP (Universal Plug and Play) 
service which can be used to detect and integrate with UPNP aware 
devices. Windows ME does not ship by default with the UPNP service; 
however, some OEM versions do provide the UPNP service by default. 
Also, it is possible to install the Windows XP Internet Connection 
Sharing on top of Windows 98, therefore making it vulnerable. 

As described on upnp.org: "UPNP architecture offers pervasive peer-to- 
peer network connectivity of PCs of all form factors, intelligent 
appliances, and wireless devices. UPNP architecture leverages TCP/IP 
and the Web to enable seamless proximity networking in addition to 
control and data transfer among networked devices in the home, office, 
and everywhere in between". 

Technical Details: 

We at eEye believe that there are several security issues with the UPNP 
protocol itself; however, these more generic issues are out of the scope 
of this advisory. Expect a detailed paper to be released from eEye within 
the coming weeks. 

This advisory covers three vulnerabilities within Microsoft's UPNP 
implementation. A remotely exploitable buffer overflow to gain 
SYSTEM level access to any default installation of Windows XP, a 
Denial-of-Service (DoS) attack, and a Distributed Denial-of-Service 
(DDoS) attack. 

7. The SYSTEM Remote Exploit 

The first vulnerability within Microsoft's implementation of the UPNP 
protocol can result in an attacker gaining remote SYSTEM level access 
to any default installation of Windows XP. SYSTEM is the highest level 
of access within Windows XP. 
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During testing of the UPNP service, we discovered that by sending 
malformed advertisements at various speeds we could cause access 
violations on the target machine. Most of these violations were due to 
pointers being overwritten. The following describes one instance of our 
testing: 

Example Session: 

NOTIFY* HTTP/1.1 

HOST: 239.255.255.250:1900 

CACHE-CONTROL: max-age=10 

LOCATION: http://IPADDRESS:PORT/.xml 

NT: um:schemas-upnp-org:device:InternetGatewayDevice: 1 

NTS: ssdp:alive 

SERVER: EEYE/2001 UPnP/LO product/1.1 
USN: uuid:EEYE 

If a buffer is incremented in the protocol, port, and uri fields of the 
Location URL arid send sessions with 10,000 microsecond intervals, 
access violations will begin to be observed. In one situation, The EAX 
and ECX registers will contain addresses that are pulled from the 
memory that was overwritten and the svchost.exe process will access an 
invalid memory address at a "moy" instruction. It throws an access 
violation due to the fact that the destination address is an overwritten 
pointer, but there is nothing interesting at 0x41414141. 

During our testing we discovered that there are multiple points of 
exploitation. We found instances of stack overflows and heap overflows, 
both of which were exploitable. In the case of the heap overflow we saw 
pointers being overwritten for both buffers and functions. 

The SSDP service also listens on Multicast and Broadcast addresses. 
Therefore gaining SYSTEM access to an entire network of XP machines 
is possible with only one anonymous UDP SSDP attack session. 

2. The DoS andDDoS ^ 

A- ^ ^ ' ^ 

j UPNP consists of multiple protocols, one of which being the Simple 
/ Service Discovery Protocol (SSDP). When a UPNP enabled device is 
installed on a network, whether it be a computer, network device, or 
even a household appliance, the device sends out an advertisement to 
notify control points of its existence. On a default XP installation, no 
\ support is added for device control as it would be the case in an 
\ installation of UPNP from "Network Services". ^-—-^ 



Although Microsoft added default support for an 

"IntemetGatewayDevice", if an application is set up to "sniff a network 
with XP, XP can be observed searching for this device as XP is loading. 
This support was added to aid leading network hardware manufactures in 
making UPnP enabled "gateway devices". 
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By sending a malicious spoofed UDP packet containing an SSDP 
advertisement, an attacker can force the XP/ME client to connect back to 
a specified IP address and pass on a specified HTTP/HTTPS request. 

An example session: 

NOTIFY* HTTP/1.1 
HOST: 239.255.255.250:1900 
CACHE-CONTROL: max-age=l 
LOCATION: URL 

NT: urn: schemas-upnp-org:device:InternetGatewayDevice:l 
NTS: ssdp:alive 

SERVER: EEYE/2001 UPnP/l.O PASSITON/1.1 
USN: uuid:EEYE 

The above packet data needs to be sent as a UDP packet to port 1900 of 
the XP/ME machine. 

When the XP machine receives this request, it will interpret the URL 
following the LOCATION header entity. With no sanitizing of the URL 
it is passed on to the functions in the Windows Internet Services API. 
The string is broken down and the new session is created. 

For example: 

LOCATION: http://xptest.exainple.com: 19/himom.html 

A malicious attacker could specify a chargen service on a remote 
machine causing the XP client to connect and get caught in a tight 
read/malloc loop. Doing this will throw the machine into an unstable 
state where CPU utilization is at %100 and memory is being allocated to 
the point that it is totally consumed. This basically makes the remote XP 
system completely unusable and requires a physical power-off 
shutdown. 

Attackers could also use this exploit to control other XP machines, 
forcing such machines to perform Unicode attacks, double decode, or 
random CGI exploiting. Due to the insecure nature of UDP, an attacker 
can exploit security holes on a web server using UPNF with almost total 
anonymity. 

One of the bigger problems, and why this can become a DDoS attack, is 
that this SSDP announcement can be sent to broadcast addresses and 
multicast. It is therefore possible to send one UDP packet causing all XP 
machines on the target network to be navigated to the URL of choice, 
performing an attack of choice. 

Also since parts of the UPNP service are implemented as UDP (in our 
opinion, a bad idea), it makes all of these attacks completely untraceable. 

Vendor Status: 

Microsoft has released a patch and security bulletin which is located at: 
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http://www.microsoftxom/technet/security^ulletin/MS01-059.asp 

To verify that the patch has been installed on your system, do the 
following: 

Windows 98 and 98SE: 

Select Start, then Run, then run the QFECheck utility. If the patch is 
installed, "Windows 98 Q3 14941 Update" will be listed among the 
installed patches. To verify the individual files, use the file manifest 
provided in Knowledge Base article Q3 14941. 

Windows ME: 

Select Start, then Run, then run the QFECheck utility. If the patch is 
installed, "Windows Millennium Edition Q3 14757 Update" will be listed 
among the installed patches. To verify the individual files, use the file 
manifest provided in Knowledge Base article Q3 14757. 

Windows XP: 

Confirm that the following registry key has been created on the machine: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 
XP\SP1\Q3 15000. To verify the individual files, use the date/time and 
version information provided in the following registry key: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 
XP\SPl\Q315000\Filelist. 

The Common Vulnerabilities and Exposures (CVE) project has assigned 

the following two IDs: 

The Buffer Overflow: CAN-2001-0876 

The Denial of Service: CAN-2001-0877 

This is a candidate for inclusion in the CVE list http://cve.mitre.org) 
which standardizes names for security problems. 

We would strongly suggest denying all UPNP traffic at your internet 
borders as there is really no need to allow UPNP traffic across the 
Internet. Also, it would be wise to completely turn off the UPNP 
services as most users are probably not utilizing them. The less services 
running on your machine, the safer you will be. The SSDP Discovery 
Service and Universal Plug and Play Host service should both be set to 
disabled. 

Credit: 

Discovery: Riley Hassell 
With extra help from: 

Ryan Permeh - for technical advice and exploitation analysis for those 
difficult reverse engineering situations that Ryan has wet dreams about. 

Marc Maiffret - as always with superb technical insight helping to 
discover and exploit the vulnerabilities in this advisory and once again 
proving that two heads are better than one. 
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Neothoth - "The typing machine", for camping out day and night in the 
eEye lab hammering vulnerabilities in URL handlers. Neo rocks :) 

Related Links: 

http://www.microsoft.com/technet/security/bulletin/MSO 1 -059. asp 
Greetings: 

Mr. Patron and his tequila and the Three Wise Men (Jim, Jack and 
Johnny). Also Abraxas coffeeshop in Amsterdam. 
eEye would like to offer thanks to all organizations supporting full 
disclosure, especially Securityfocus.com and NMRC. Don't let silly 
politics get in the way of what is right for everyone's security. 

Oh yeah, one more thing: 

Four score and numerous advisories ago, a security company set off to 
tell the worid about its love of Tequila. However, little did people know, 
the team was not even legal Now that the youngins Marc and Riley 
turned 21 this November we are all officially legal. That means the next 
time the NSA buys us beer at a SEC conference, they won't be breaking 
the law. 

Copyright (c) 1998-2007 eEye Digital Security 

Permission is hereby granted for the redistribution of this alert 
electronically. It is not to be edited in any way without express consent 
of eEye. If you wish to reprint the whole or any part of this alert in any 
other medium excluding electronic medium, please email 
alert(gleEye.com for permission. 

Disclaimer 

The information within this paper may change without notice. Use of 
this information constitutes acceptance for use in an AS IS condition. 
There are no warranties, implied or express, with regard to this 
information. In no event shall the author be liable for any direct or 
indirect damages whatsoever arising out of or in connection with the use 
or spread of this information. Any use of this information is at the user's 
own risk. 
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